Penetration Testing

Note: Penetration Testing guidelines have changed for PCI DSS version 3.0.  For updated testing guidelines, see our PCI DSS version 3.0 Penetration Testing Guide

What is Penetration Testing?

1 Stop PCI Scan recognizes that the PCI DSS uses a defense-in-depth approach to promoting PCI compliance.  True PCI compliance involves more than just quarterly external PCI scanning.  Yearly penetration testing is also a requirement for almost all businesses.

Penetration testing involves simulating an actual attack on the customer’s network.  This type of testing helps to determine what a malicious person may actually accomplish in a real world hacking effort.

Section 11 of the PCI DSS enumerates the requirements businesses need to fulfill in order to properly handle the “regularly test security systems and processes” element of PCI compliance.  Section 11.3.1 of the PCI DSS v3 reads:

 “Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification.”

Section 11.3.2 follows up by mentioning internal penetration testing as an annual requirement as well.

1 Stop PCI Scan offers penetration testing at a low cost and each member of our skilled testing team is an Offensive Security Certified Professional (OSCP).  The pricing for penetration testing cannot be described in a standard rate that applies to all customers.  Penetration testing is not a strictly automated process.   In comparison to external PCI scanning, there are more variables involved in the pen-testing process, and pen-testing involves significantly more manual work. Interested customers should contact 1 Stop PCI Scan for more information and customized pricing.